Cybility Savvy

E20- What does the board do about cybersecurity?

October 14, 2022 Michala Liavaag Episode 20
Cybility Savvy
E20- What does the board do about cybersecurity?
Show Notes Transcript

What part does the board play in keeping organisations more cyber resilient? 

Michala Liavaag explains the important role board members play in cybersecurity no matter the size of the organisation. Boards need to see cybersecurity as any other risk they need to take into consideration, in order to ensure it is working to meet the organisation's objectives. 

Michala also answers the question: is cyber security an IT job? 

As always, board members will leave with practical tips and questions they can ask their executives, to make sure cybersecurity is properly governed. 

👉 Cited in this episode: 

Cybility Savvy's episode E10- Where do we start? https://www.cybilityconsulting.co.uk/cms/cybilitysavvy/start-cybersecurity

Cybility Savvy's episode E5- How can leaders drive 'Cybersecurity First'?

https://www.cybilityconsulting.co.uk/cms/cybilitysavvy/cybersecurity-first

-----

⭐Found this useful? Please rate and review, as it helps reaching more people 

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions

📃Transcription 

🤝Connect with Michala and Cybility Savvy:

LinkedInTwitterYoutubeInstagram 

 ---

✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner

-----

⭐Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions

🤝Connect with Michala and Cybility Savvy:

LinkedInTwitterYoutubeInstagram

---

✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner

Do you think cyber security is IT's job? Well I've got news for you

It actually starts and ends with the board 

Stay tuned to find out why I say that as we explore some of the aspects and activities that board members are involved in to help govern cybersecurity across their organisation 

Cybility Savvy the quickest way to go from cyber confused to cyber savvy 

Hello I'm Michala Liavaag founder of Cybility Consulting

As members of the board the key thing for you is good governance of the organisation and ensuring that it's working to meet its actual objectives of what it's there for to deliver for your maybe beneficiaries or your customers 

with cybersecurity it's no different to any other area that you're responsible for as a board. You'll look at risk as say health and safety, finance and how that's managed and governed operationally and the same thing applies to cybersecurity 

One of the things that you can be doing as a board is first of all is it actually on the organisation's agenda? Are they actually recognizing this risk and dealing with it? If they are, then looking at is there an established program in place? What are they using as a framework? How are they doing that? 

Who is this they? We'll come back to that in just a moment

Looking at how they prioritize and make decisions around cybersecurity whether it's the risk versus benefit of doing something, or perhaps the cost associated with implementing something. And in terms of the management and operation of whatever that framework or program is, actually monitoring the performance and baselining that at the start so you know how you're doing on that journey as an organisation in terms of improving that cyber security maturity is really important. All too often I see programs where they just start doing something because they know they need to do something about cyber, but they don't actually look at where they are, take that baseline measurement and then look at what quantifiable improvements are being made with the efforts that they're investing.

So that's one of the things that as a board you can be looking at and challenging and making sure those decision making processes are appropriate and are robust

One of the other things that you'll be concerned about as a board is you know, is the organisation complying with legislation, the regulatory requirements, if you're in a regulated industry? But also perhaps your contractual obligations if you've got clients who have very specific needs that your organisation is going to deliver on?

Having assurance around those aspects, doing a bit of a deep dive occasionally into those, is something that you can do, perhaps as a subcommittee rather than the board itself, but definitely something that I would encourage to happen

Ultimately all of this is about achieving the objectives of the organisation and the way that's done will differ depending on a range of factors

One of the things I'd really encourage you to do is go and watch a previous episode because then you'll sort of get an understanding of how in cybersecurity we're looking at everything in an organisation, thinking about the people, the geography, the legislation, the technology, there's so many different aspects and so I'd really encourage you to go and have an understanding of that because that, because that will then sort of guide us through the rest of this journey

Coming back to that question about who are they, that's actually doing the operational management and implementation of your cybersecurity program, that will differ again depending on the organisation

If we look at larger organisations for a moment, one of the things that I often see is, and I'll just give you an example here, that you'll have say a board member has seen something on the news and thinks oh my goodness that could happen here, go to their executive team and say, you know what are we doing about cyber? 

The executive team then go to their CIO, if they have one, and say you know well it's I.T job isn't it? What are you doing about cyber? And the CIO goes to their I.T person and says what are we doing about cyber, you've got land control right?

One of the things that I often see is that there's a bit of a confusion between I.T and cybersecurity. Now it's fair to say that absolutely a lot of I.T professionals will have some understanding of cybersecurity. In particular they'll be very familiar with identity management controls, about giving access to people, removing it, that sort of thing

But when it comes to actually securing systems quite often there's a bit of a gap there and they may not be aware, because they are different disciplines

So whilst it would be great to have some cybersecurity people in your I.T Department if you have your own I.T Department, if you don't and you're outsourcing then from a board point of view, what assurance do you have around the supply chain?

Is your outsourced I.T provider doing what you need from a security point of view?

So what if you're a small organisation? You don't have an outsourced I.T provider, you don't have an in-house I.T Department, it's all on you?

Good news! It makes the governance a little bit easier because the decision-making process is quite short from that point of view, but it does mean that you need to perhaps upskill yourself and begin to understand a little bit about some of the basics around cybersecurity, and we talk about that in another episode that we can link you to

One of the things as well around I.T and cybersecurity is: we have different objectives, particularly if there is an incident. Say there is an incident then I.T's job is to get everyone up and running as quickly as possible so that the organisation can keep delivering its services

In cybersecurity it's about protecting the evidence around an incident and being able to follow that trail and be confident that that instance is been taken care of before restoring services

So there can be this sort of bit of push and pull between those areas, so it's really important again that as a board you've been clear about the direction for the organisation, what the priorities are and you know are you going to prioritize service operation over potentially security investigations? And there's no right or wrong around this, it's down to what's important to you as a cohesive board around the risks that you want to take, and that that sets the direction and the parameters for those that are then going to operationally manage the cybersecurity program. In terms of who those people are, join me for another episode and we'll have a closer look at that.